Hi all,
I am attaching a patch which try to add some notes which is missing from
key_extras documentation in squid.conf.documented. For example the
current squid.conf.documented in trunk does not say that the
expanded key_extras value is added to the Squid credentials cache and,
hence, will affect authentication.
Please review that the added documentation cover most of the problems
will may appear by key_extras misuse.
Regards,
Christos
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2014-01-12 17:51:12 +0000
+++ src/cf.data.pre 2014-01-27 10:06:21 +0000
@@ -313,40 +313,50 @@
Ports flagged 'transparent', 'intercept', or 'tproxy' have
authentication disabled.
=== Parameters common to all schemes. ===
"program" cmdline
Specifies the command for the external authenticator. Such a program
runs a loop that, on every iteration, reads a request line from
the standard and responds with a scheme-specific answer. The loop
stops when all input is exchausted (EOF). See scheme-specific
"program" descriptions below for details.
"key_extras" format
Specifies a string to be append to request line format for the
authentication helper. "Quoted" format values may contain spaces and
logformat %macros. In theory, any logformat %macro can be used.
In practice, a %macro expands as a dash (-) if the helper request is
sent before the required macro information is available to Squid.
By default, Squid uses request formats provided in scheme-specific
examples below (search for %credentials).
+ The expanded key_extras value is added to the Squid credentials
+ cache and, hence, will affect authentication. It can be used to
+ autenticate different users with dentical user names (e.g., when user
+ authentication depends on http_port).
+ Avoid adding frequently changing information to key_extras. For
+ example, if you add user source IP, and it changes frequently
+ in your environment, then max_user_ip ACL is going to treat every
+ user+IP combination as a unique "user", breaking the ACL and
+ wasting a lot of memory on those user records. It will also force
+ users to authenticate from scratch whenever their IP changes.
=== Parameters for the basic scheme follow. ===
"program" cmdline
Specify the command for the external authenticator. Such a program
reads a request_format line ("username password" by default) and
replies with one of three results:
OK
the user exists.
ERR
the user does not exist.
BH
An internal error occurred in the helper, preventing
a result being identified.
"ERR" and "BH" results may optionally be followed by message="..."
containing a description available as %m in the returned error page.
